18 Year-Old Security Flaw Discovered in All Versions of Windows

An 18 year-old security flaw has been recently discovered which affects all versions of Windows and lets an attacker steal a victim’s information from some of the products and services in the victim’s network. Cylance cybersecurity firm disclosed the flaw and mentions in a blog post that this was based on a security hole dating back to 1997. Aaron Spangler found the vulnerability and mentions an issue with Internet Explorer’s handling of the protocol ‘file:// URL’ plus its capacity to leak sensitive information. Read the post from Cylance here.

Cylance’s Brian Wallace shares in the blog post that the attackers use man-in-the middle attacks to steal user details. “Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate Web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password.”

Redirect to SMB Vulnerability

However, this Redirect to SMB flaw is not only limited to the Internet Explorer browser. Software from at least 31 companies including Adobe, Apple, Box, Microsoft, Oracle and Symantec can be exploited using this vulnerability as well. A patch is yet to be released but in the mean time, a workaround is suggested that by blocking outbound traffic from TCP 139 and TCP 445, you can put an obstacle in the way of authentication attempts that originate outside of your network while retaining SMB capabilities within it.

What is a Man-in-the-Middle Attack?

“Man-in-the-Middle (MitM) is a type of attack where the malicious user (the attacker) is able to intercept, and in some cases alter, the communication between two systems: the attacker is then able to receive and send data that are not intended to him.” IT Security Researcher, Francesco Stillavato, shares his thoughts. “This attack is very effective if the two entities of the communication do not use an encrypted communication channel (such as HTTP), since the attacker would be able to view the data transferred.”

Disable Services as a Temporary Workaround

These attacks have happened many times in the past, and it will likely happen again. It is not safe to trust only software implementations. Having IT security professionals in your team will surely help to mitigate these vulnerabilities.

It is important that you disable unnecessary services and enable them only for trusted entities. Since there is no fix to the issue, the workaround suggested by Cylance will work fine. Be sure to block outbound SMB connections, enforce your NTLM group policy and use strong password.

UPDATE: A patch has been issued by Microsoft for this vulnerability. You may check this reference link of the said patch: Vulnerability Note VU#672268

Defend your IT Network with Practical Network Defense

Learn to defend your IT network from cyberattacks with eLearnSecurity’s Practical Network Defense training course. This is a hands-on training course for IT Admins, System Analysts, Penetration Testers, Security Specialists, Network Engineers, etc. where you can learn to protect your network from common attack vectors. Check it out here – Practical Network Defense.

Francesco Stillavato is a Senior IT Security researcher and instructor at eLearnSecurity with 6 years of experience in different aspects of Information Security. His experience spans from web application secure coding to secure network design. He has contributed to the Joomla project as a Developer and has conducted a number of assessments as a freelance.